Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

2.
Addressing CIP: A Thailand Case Study
by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS
Synopsis:
In many countries where Critical Infrastructure Protection is not yet a
regulatory requirement or is not taken into account seriously by their
government; the perception, understanding, collaboration and qualified
workforce is big challenge. Many misperceptions about securing those
systems make it hard to convince management and stakeholders to support
activities and investments. However, the legislation is not the only way to go;
there are still many other factors that can be pulled into the scene ex. BCM,
Risk Management and etc. to help attract the managements. As a security
professional, how can we make things better? How can we utilize other
mechanisms available to help addressing this challenge?
In Thailand even though we do not explicitly issues a law specifically for CIP,
we have done something to addressed CIP in some extents. We help raise
awareness and understanding through trainings and seminars to demonstrate
the vulnerability and exploitability of such systems. We introduce ISO27001
as a basic security management framework. Of course, there are many other
things that need to be done to address this challenge.

4.
Disclaimer
• I am not a representative of neither Thailand
government nor any commission I have been
involved.
• I am not representing a spoke person for my
company.
• I am here as an infosec professional working and
contributing in Thailand and would like to share
some experience and Thailand circumstance for
the sake of global professional community
collaboration and contribution.

8.
Transportation – Road Signs In the real world
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
Lessons learned:
left unlocked and their default
 Use robust physical access passwords are not changed.
controls
"Programming is as simple as
 Change all default passwords scrolling down the menu selection," a
 Work with manufacturers to blog reports. "Type whatever you want
identify and protect password to display … In all likelihood, the crew
reset procedures will not have changed [the password]."
8

10.
Security Guard Busted For Hacking Hospital's HVAC,
Patient Information Computers, July 2009 In the real world
• "A former security guard for a Dallas hospital has
been arrested by federal authorities for allegedly
breaking into the facility's HVAC and confidential
patient information computer systems. In a bizarre
twist, he posted videos of his hacks on YouTube,
and was trying to recruit other hackers to help him
wage a massive DDoS attack on July 4 -- one day
after his planned last day on the job.
• Jesse William McGraw, 25, also known as
"GhostExodus," "PhantomExodizzmo," as well as by
a couple of false names, was charged with
downloading malicious code onto a computer at
the Carrell Clinic in order to cause damage and as a
result, "threatened public health and safety,"
according to an affidavit filed by the FBI . McGraw
worked as a night security guard for United
Protection Services, which was on contract with
hospital, which specializes in orthopedics and
sports medicine."

11.
In the real world
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans
security conference Friday attended by
international government officials, engineers,
and security managers.
• The CIA on Friday admitted that cyberattacks
have caused at least one power outage affecting
multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM

13.
In the real world
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th

14.
Commonly Claim: The system is isolated In the real world
Virus Found On Computer In Space Station
NASA confirmed on Wednesday that a
computer virus was identified on a laptop
computer aboard the International Space
Station, which carries about 50 computers. The
virus was stopped with virus protection
software and posed no threat to ISS systems or
operations, said NASA spokesperson Kelly
Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought
on board by an astronaut may have been the source of the laptop
infection.
InformationWeek August 27, 2008

19.
Obama elevates the priority of
Cybersecurity concerns
May 29, 2009
U.S. President Barack Obama will
appoint a government-wide
cybersecurity coordinator and
elevate cybersecurity concerns to a
top management priority for the
U.S. government, he announced
Friday.
The White House will also develop a
new, comprehensive national
cybersecurity strategy, with help
from private experts, and it will
invest in "cutting edge"
cybersecurity research and
development, Obama said in a short
speech.

21.
Challenges
• Small number of security professional in the
market
• Misperceptions on the control system security
– Security by obscurity
– Separated network
– Not an IT business
– we have no secret
• Low awareness among stakeholders

22.
Qualified professional undersupply
IT Professional
Control
Infosec
System
Prof.
Prof.
Control System
Cybersecurity Prof.

23.
The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed

40.
Hacking on Operator workstation
Summary Scenario #1.1 Known local admin password
Required condition:
 Local admin password is known (default password)
 Remote Desktop is opened
Consequence:
Attacker can take over the system
 Attacker can take over GUI
 Attacker can add new user
 Attacker can open share folder
Remediation:
 Change default password
 Restrict access to Remote Desktop

51.
Summary
• Been doing
– Help raise awareness
– Informal gather up of industry leaders
– Some laws and regulations issued
• Future
– Many things are lined up
– Government is to work closely with industry
– Collaboration and community across countries shall be considered
– It will be a long journey